If you suspect that these files or the keystore have been compromised in any way, contact Oracle support for assistance in changing passwords.

B.2 Generating New Keystore and Truststore Files

To ensure a secure connection, the Core Server and the Client use the SSL protocol to exchange sensitive information contained in files known as a keystore and a truststore. A keystore contains private keys, and the certificates with their corresponding public keys. A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties. To learn more about the Java SSL protocol and keystores and truststores, visit the following URL:

http://java.sun.com/docs/books/tutorial/security/sigcert/index.htm

The Core Server generates a self-signed certificate during installation. The keystore files (keystore and truststore) are generated the first time the Client connects to the Server. If something happens to the Client's keystore files (modified or deleted, for example), they are regenerated on the next startup, when you are prompted to accept the certificate. If something happens to the Server's keystore files, however, or if tampering is suspected, then it becomes necessary to generate new keystore files to continue secure operations.

B.2.1 Before You Begin

Back up either or both original files if they exist (mvserver.ks and mvserver.ts), located in the following directory:

$OACC_INSTALL/com.mvalent.integrity_5.3.2/webserver/tomcat

You will use the keytool utility that comes with any JDK 1.6 installation to regenerate your keystore files. This utility displays passwords in cleartext so be sure to take the necessary security precautions. Also, you may want to record the values that you supply, such as passwords and paths, as you will need to provide them several times during the process. To learn more about keytool visit the following URL:

alias_value is the identifier of the original key created during keystore creation. This value can be any string.

password is a strong password for accessing the keystore file. Tomcat requires that you specify the same value to access the keystore and its private key.

store_path is the path of the keystore file that you are generating.

dbname_values are optional values that identify the owner of the credentials passed from the Server to any Client. For example: "CN=Application Configuration Console Server, OU=Enterprise Manager Grid Control, O=Oracle Corporation,L=Redwood City, S=California, C=US"

Note:

If you receive the following error: "keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect", it probably means that the value you specified for store_path already exists. Move or rename the file and rerun keytool. If this is not the case, contact support.

Verify that the keystore file was created at the specified location. It should be about 2KB in size.

B.2.3 Generate a New Truststore

To generate a new truststore file, proceed as follows:

Open a command shell prompt.

Change directory to the JDK1.6_HOME/bin directory; to here, for example, if you elected to use the version embedded with the Core Server installation:

alias_value is the identifier of the original key created during truststore creation. This value can be any string.

password is a strong password for accessing the truststore file. Tomcat requires that you specify the same value to access the truststore and its private key.

store_path is the path of the truststore file that you are generating.

dbname_values are optional values that identify the owner of the credentials passed from the Server to any Client. For example: "CN=Application Configuration Console Server, OU=Enterprise Manager Grid Control, O=Oracle Corporation,L=Redwood City, S=California, C=US"

Note:

If you receive the following error: "keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect", it probably means that the value you specified for store_path already exists. Move or rename the file and rerun keytool. If this is not the case, contact support.

Verify that the truststore file was created at the specified location. It should be about 2KB in size.

B.2.4 Update Tomcat server.xml

Update server.xml to include the values.

Navigate to the following directory on the Core Server host and open server.xml in a text or XML editor:

$OACC_INSTALL/appserver/tomcat/conf

At the bottom of the file, locate the XML element <Connector port="9943" ... /> and edit the values of these four properties (keystoreFile, keystorePass, truststoreFile, truststorePass) with the values specified during keystore/truststore generation.

Save your changes and restart the Core Server. You can restart from command line as follows: $OACC_INSTALL/appserver/tomcat/bin/startup.bat (for Windows) or startup.sh for (Linux/UNIX).

B.3 Disable Anonymous Read Write Access on the SVN Server

Some environments may require a layer of security between the Core Server and the SVN server. This section provides instructions for requiring authentication on the SVN server, and disabling anonymous read and write access.

First, you should encrypt an Application Configuration Console password, using the MVEncryption.bat file as follows:

B.4 Optionally Use a Customer-Supplied SSL Certificate

The Core Tomcat server uses an SSL certificate to ensure secure communication with the Application Configuration Console Clients. If desired, you can use your own certificate instead of the one supplied by Oracle. The certificate can be JKS or PKCS #12 format, and you must have the associated private key. With PKCS #12, for example, do the following: